Securing Your Stack: SBOM Generation and Vulnerability Tracking in Quarkus

How to generate Software Bill of Materials in Quarkus and integrate with tools like Dependency-Track and Snyk for continuous security.

Modern software isn’t built from scratch. It’s assembled. From frameworks, libraries, modules, and transitive dependencies pulled in through Maven or Gradle. While this accelerates development, it also opens the door to a major risk: untracked, outdated, or vulnerable third-party code. That’s why Software Bill of Materials (SBOMs) have become critical in enterprise application development. Especially for Java applications built with Quarkus, SBOM generation is not just a compliance checkbox, it’s a practical foundation for security analysis, compliance, and operational confidence.

In this article, I’ll explain what SBOMs are, why they matter for Java developers and architects, how Quarkus makes SBOM generation simple using the CycloneDX format, and how to plug these SBOMs into tools like OWASP Dependency-Track and Snyk for vulnerability analysis and mitigation workflows.

What is an SBOM and Why Does It Matter?

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all the components, libraries, and dependencies in a software application. Think of it as a nutrition label or ingredient list, but for software.

It usually includes:

• Package names

• Versions

• Licenses

• Dependency relationships

• Hashes for component integrity

• Source and origin metadata

This information is crucial for:

• Security: Quickly identify if your app includes a vulnerable version of a library (e.g., Log4j 2.14.1).

• Compliance: Verify licensing requirements and avoid unexpected legal risk.

• Incident response: Speed up investigations when a new CVE drops.

• Operational transparency: Help DevSecOps teams and auditors understand what’s inside the software.

In regulated industries or federal contracts, SBOMs are now often mandatory due to recent cybersecurity executive orders and NIST guidance.

CycloneDX: The De Facto SBOM Standard for Java

There are several SBOM formats: SPDX, CycloneDX, and SWID. But CycloneDX has emerged as a preferred choice for Java developers. It was created by the OWASP Foundation and has native support in popular build tools and security scanners.

Quarkus supports CycloneDX out of the box using a Maven extension. The CycloneDX format is XML or JSON-based, easy to generate, and directly consumable by vulnerability tracking tools.

SBOMs in Practice with Quarkus

Let’s get practical. If you’re using Maven to build your Quarkus app, generating an SBOM is just one plugin away.

Step 1: Add CycloneDX Maven Plugin

Add the plugin to your pom.xml:

<build>
  <plugins>
    <plugin>
      <groupId>org.cyclonedx</groupId>
      <artifactId>cyclonedx-maven-plugin</artifactId>
      <version>2.7.10</version>
      <executions>
        <execution>
          <phase>verify</phase>
          <goals>
            <goal>makeAggregateBom</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

This plugin scans all your project's direct and transitive dependencies and produces a CycloneDX-compliant SBOM in target/bom.json or target/bom.xml.

Quarkus applications typically have a slim runtime classpath, especially in native mode. Make sure you’re generating the SBOM against the final application artifact, not just the development profile.

Step 2: Build the App

./mvnw clean verify

You should now see the SBOM file in your target/ directory. The JSON version is especially useful for integrating with tools and dashboards.

Integrating SBOMs with OWASP Dependency-Track

Once you have your SBOM, the next step is analysis. OWASP Dependency-Track is a powerful platform that continuously monitors the dependencies of your applications and maps them to known vulnerabilities from sources like the NVD (National Vulnerability Database) and OSS Index.

Why Dependency-Track?

• Detects known CVEs in your components

• Tracks components across multiple projects

• Integrates with CI/CD for policy enforcement

• Supports license and version policy compliance

How to Use It with Quarkus

1. Deploy Dependency-Track

You can run it locally using Podman:

podman run -p 8080:8080 -d --name dependency-track owasp/dependency-track

2. Create a Project

Log in to the UI (http://localhost:8080), create a new project (e.g., my-quarkus-app), and note the project UUID.

3. Upload the SBOM

You can upload the SBOM via UI or automate it using their REST API.

Here’s how to do it using curl:

curl -X POST "http://localhost:8080/api/v1/bom" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: multipart/form-data" \
  -F "bom=@target/bom.json" \
  -F "project=<project-uuid>"

Dependency-Track will parse the SBOM, cross-reference it with vulnerability databases, and provide a dashboard with findings, severity scores, and suggested upgrades.

Analyzing Quarkus SBOMs with Snyk

Snyk is another excellent tool for vulnerability scanning and mitigation, especially for teams using GitHub, GitLab, or CI/CD pipelines.

Snyk supports both SBOM ingestion and direct scanning of Maven projects. If you want to integrate it into your development flow, it’s as easy as installing the CLI.

Install Snyk CLI

npm install -g snyk
snyk auth

Scan Your Quarkus Project

You don’t need an SBOM for this step (Snyk builds it internally), but you can generate one if needed:

snyk test

This scans your dependencies and outputs a list of known vulnerabilities, prioritized by CVSS score and exploit maturity. It also gives remediation advice.

To generate an SBOM directly from your Quarkus Maven project:

snyk sbom --format=cyclonedx+json > snyk-bom.json

This SBOM can then be used with other tools or stored for compliance purposes.

Comparing Dependency-Track and Snyk

Feature OWASP Dependency-Track Snyk Source Open Source Commercial (Free Tier) SBOM Format CycloneDX CycloneDX Integration API, CI/CD, Webhook GitHub, GitLab, CLI License compliance Yes Yes Policy Enforcement Strong (via Scorecards) Strong (via Projects) Suggested Fixes Manual Automatic Suggestions Ideal for Internal dashboards Developer pipelines

Use both if you can: Snyk for active scanning in development, and Dependency-Track for continuous monitoring in staging/production environments.

Automating SBOMs in CI/CD with Quarkus

For production-grade workflows, you should integrate SBOM generation into your build pipelines. Here’s how that looks in GitHub Actions:

name: Build Quarkus and Generate SBOM

on:
  push:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'

    - name: Build with Maven
      run: ./mvnw clean verify

    - name: Upload SBOM
      uses: actions/upload-artifact@v4
      with:
        name: sbom
        path: target/bom.json

From here, you can send the SBOM to your security tool of choice.

Mitigating Vulnerabilities in Quarkus Apps

Once vulnerabilities are detected, what’s next?

1. Check if you’re actually using the vulnerable path.

   • Tools like Snyk can show reachable paths.

   • For unused dependencies, consider removing them.

2. Update to a safe version.

   • Quarkus BOMs make this easier. Use managed dependencies instead of hardcoding versions.

   • Avoid skipping updates. Patch cadence matters.

3. Use vulnerability suppression when necessary.

   • Sometimes vulnerabilities are false positives or not exploitable in your context.

   • Tools like Dependency-Check support suppressions via XML.

4. Monitor dependencies post-release.

   • Just because your app passed security checks at release time doesn’t mean it’s safe six months later.

   • Tools like Dependency-Track and Renovate bots help here.

Quarkus-Specific Best Practices

• Use the Quarkus BOM: Instead of managing versions manually, rely on the Quarkus platform BOM. It’s tested, curated, and updated regularly.

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-bom</artifactId>
      <version>3.21.3.Final</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

• Watch native-image support: Native compilation uses closed-world assumptions. Ensure the SBOM reflects native-compatible dependencies.

• Slim your final image: Use quarkus.package.type=uber-jar or native to keep dependencies minimal and predictable.

• Prefer runtime scanning in production: SBOMs are useful at build time, but pair them with container or runtime scanning for end-to-end coverage.

SBOMs are no longer optional

They’re table stakes for secure software delivery. With Quarkus, generating an SBOM is straightforward and integrates naturally into modern Java build pipelines. By producing a CycloneDX SBOM and feeding it into tools like OWASP Dependency-Track and Snyk, developers gain deep visibility into what they ship—and the risks they carry.

Security isn’t just about patching bugs. It’s about visibility, automation, and proactive defense. With Quarkus and the right tooling, you can bake that into your development lifecycle without friction.

References

• Quarkus Guide: SBOM with CycloneDX

• CycloneDX Specification

• OWASP Dependency-Track

• Snyk CLI Documentation

• Quarkus Maven Plugin Docs